This blog post provides the simple configuration information to setup a Site-to-Site VPN between two Cisco ASA firewalls using the IKEv2 protocol.

The following lab scenario was setup in GNS3 using the following images:

Cisco ASAv version 9.5(2)

Cisco IOS version 15.2(4)

A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and ASAv-2). The 2 routers (R1 and R2) will act as hosts in the local networks in order to generate traffic to initiate the VPN tunnel on demand.

Testing

Once the VPN configuration has been setup on both ASA firewall, test connectivity by sending a ping from the local Loopback on one of the routers to the loopback of a router across the VPN. The local Loopback network address and the remote Loopback networks addresses must be defined in the crypto map in order to match and be routed across the tunnel.

When establishing connectivity for the first time over the tunnel, the first ping will drop whilst the tunnel is hopefully being established.

Use the command “show crypto ipsec sa detailed” to verify the IPSec SA. This will display information such as the crypto map, access-list, packets encrypted/decrypted. If traffic is not being sent across the VPN tunnel check the ACL has the correct local/remote networks otherwise this will not work.

Use the command “show vpn-sessiondb detailed l2l“. This will provide clearer detailed information on the VPN tunnel